fpr: Kolide, macOS, nvidia, neko

2025-02-26 15:00:30 +00:00 · 2023-05-16 10:28:19 -04:00 · 2023-05-16 10:28:19 -04:00 · d5a94b21d1
commit d5a94b21d1
parent 94947a252f
4 changed files with 6 additions and 2 deletions
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@ -156,6 +156,7 @@ WHERE
      p0_cmd LIKE '%/gcloud.py%'
      OR p0_cmd LIKE '%pip install%'
      OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
+      OR p0_cmd LIKE '%/main.py'
      OR p0_cmd LIKE '%/bin/aws%'
    )
  )
--- a/detection/evasion/unexpected-var-run-linux.sql
+++ b/detection/evasion/unexpected-var-run-linux.sql
@ -43,6 +43,7 @@ WHERE
    'haproxy.pid',
    "lightdm.pid",
    'mcelog.pid',
+    'nvidia-powerd.pid',
    'motd',
    'nvidia_runtimepm_enabled',
    'nvidia_runtimepm_supported',
--- a/detection/evasion/unexpected-var-run-macos.sql
+++ b/detection/evasion/unexpected-var-run-macos.sql
@ -44,6 +44,7 @@ WHERE
    'FirstBootAfterUpdate',
    'FirstBootCleanupHandled',
    'hdiejectd.pid',
+    'signpost_reporter_running',
    'kdc.pid',
    'prl_disp_service.pid',
    'prl_naptd.pid',
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@ -121,7 +121,6 @@ WHERE
  AND top3_dir NOT IN (
    '/Library/Apple/System',
    '/Library/Application Support/Adobe',
-    '~/Library/Caches/Cypress',
    '~/Library/Application Support/BraveSoftware',
    '/Library/Application Support/Canon_Inc_IC',
    '~/Library/Application Support/com.elgato.StreamDeck',
@ -133,8 +132,8 @@ WHERE
    '~/Library/Application Support/zoom.us',
    '~/Library/Caches/com.knollsoft.Rectangle',
    '~/Library/Caches/com.mimestream.Mimestream',
+    '~/Library/Caches/Cypress',
    '~/Library/Caches/JetBrains',
-    '~/.wdm/drivers/chromedriver',
    '~/Library/Caches/snyk',
    '/Library/Developer/CommandLineTools',
    '~/Library/Developer/Xcode',
@ -145,12 +144,14 @@ WHERE
    '/opt/homebrew/Caskroom',
    '/opt/homebrew/Cellar',
    '/opt/homebrew/Library',
+    '/private/var/kolide-k2',
    '/usr/libexec/AssetCache',
    '/usr/libexec/rosetta',
    '/usr/local/Cellar',
    '/usr/local/kolide-k2',
    '/Volumes/Google Chrome/Google Chrome.app',
    '/Volumes/Slack/Slack.app'
+    '~/.wdm/drivers/chromedriver',
  )
  AND dir NOT IN (
    '/bin',